analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

haxormodev12.zip

Full analysis: https://app.any.run/tasks/26b6208c-3dcd-4fbb-8eda-aaf987e5f4d6
Verdict: Malicious activity
Analysis date: September 30, 2020, 10:28:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

029288BE4CE222E44901ECEBF199AD91

SHA1:

5300D3BDC48322C4EB62C778D91E379BD47B721D

SHA256:

9EAA334B0B2FE3F1EDAD2E70EEBBDC868BC3E4684BEEA5EA6494E98C2FB31560

SSDEEP:

786432:DsWkW8/M3PE86KtKh4+mSH9nMsnPB+eZPY:AWkWdfEeKh7VMsnPQ4Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • HackerMode v12.exe (PID: 4092)
      • SearchProtocolHost.exe (PID: 3056)

    • Application was dropped or rewritten from another process

      • HackerMode v12.exe (PID: 4092)

  • SUSPICIOUS

    • Reads Environment values

      • HackerMode v12.exe (PID: 4092)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3400)

    • Starts Internet Explorer

      • HackerMode v12.exe (PID: 4092)

  • INFO

    • Manual execution by user

      • HackerMode v12.exe (PID: 4092)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3360)
      • iexplore.exe (PID: 924)

    • Changes internet zones settings

      • iexplore.exe (PID: 3360)

    • Application launched itself

      • iexplore.exe (PID: 3360)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 3360)

    • Creates files in the user directory

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 3360)

    • Reads internet explorer settings

      • iexplore.exe (PID: 924)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3360)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.kmz | Google Earth saved working session (60)
.zip | ZIP compressed archive (40)

EXIF

ZIP

ZipFileName: Adafcaefc/FermentedMango.dll
ZipUncompressedSize: 188928
ZipCompressedSize: 101932
ZipCRC: 0x862e9b63
ZipModifyDate: 2020:09:09 12:32:11
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs hackermode v12.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3400"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\haxormodev12.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3056"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
4092"C:\Users\admin\Desktop\HackerMode v12.exe" C:\Users\admin\Desktop\HackerMode v12.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Hacker Mode (Among Us)
Version:
1.0.9.0
3360"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=emGmjMAfoJwC:\Program Files\Internet Explorer\iexplore.exe
HackerMode v12.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3360 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 421
Read events
1 266
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
24
Text files
42
Unknown types
22

Dropped files

PID
Process
Filename
Type
3400WinRAR.exeC:\Users\admin\Desktop\HackerMode v12.exeexecutable
MD5:7F7EB4124E62CBDD197B8E6ED7F152E9
SHA256:6B0B11506F87367D2E7E7B38A64A60DC4FDE55B92EBABC2F6AE3D37E756171FD
3400WinRAR.exeC:\Users\admin\Desktop\Resources\alizer.CTxml
MD5:EFBEAEA9F35A50B328E5164D608B10B4
SHA256:DD360F6DC1B5D3F029AD2F4EB72DDAE4B182847969A7B9929E318BADBD52B32D
3400WinRAR.exeC:\Users\admin\Desktop\Adafcaefc\FermentedMango.dllexecutable
MD5:E35DFBF82BAC43A1819BA1ECBF9BCE39
SHA256:616D46A041EDAFFA95729C3B53F1E0FBDAD0A8D4FA5CD51469E0F351626DF1E4
3400WinRAR.exeC:\Users\admin\Desktop\MemorySharp.dllexecutable
MD5:4345CF44E942AAA53A00197B88123477
SHA256:782DDC2BD00820AC70167B5B25E34A85636EE834442626DC443BF8CE954A34CE
3400WinRAR.exeC:\Users\admin\Desktop\Adafcaefc\ToastedMarshmellow.dllexecutable
MD5:3FE73ADA74E0303032126275E5FC97E2
SHA256:E8E7D8C08210A946F2D8FCE8C218FACFD0B3FC11DBB56AD54EACDEF2EE0F7CE3
3400WinRAR.exeC:\Users\admin\Desktop\Adafcaefc\RoastedMelon.dllexecutable
MD5:58F0D444E0B929487A261D951CDCCA3E
SHA256:57B3A315ECF6491CC26A0CAD2ED3F6C0DE739DE3D0F04431D0F1161441754D71
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
924iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6F8E.tmp
MD5:
SHA256:
924iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6F8F.tmp
MD5:
SHA256:
924iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\U2WY0L26.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
46
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCoziyTHasflwIAAAAAekur
US
der
472 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBedu0%2BUKJj8CAAAAABXoSI%3D
US
der
471 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D
US
der
471 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDOs%2FDKHsIMiAIAAAAAeksR
US
der
472 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBedu0%2BUKJj8CAAAAABXoSI%3D
US
der
471 b
whitelisted
3360
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
924
iexplore.exe
GET
200
172.217.22.67:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDOs%2FDKHsIMiAIAAAAAeksR
US
der
472 b
whitelisted
1056
svchost.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
924
iexplore.exe
172.217.22.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
924
iexplore.exe
172.217.18.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted
924
iexplore.exe
216.58.205.238:443
www.youtube.com
Google Inc.
US
whitelisted
924
iexplore.exe
172.217.23.110:443
www.youtube.com
Google Inc.
US
whitelisted
4092
HackerMode v12.exe
104.23.98.190:443
pastebin.com
Cloudflare Inc
US
malicious
924
iexplore.exe
216.58.205.237:443
accounts.google.com
Google Inc.
US
whitelisted
924
iexplore.exe
216.58.206.4:443
www.google.com
Google Inc.
US
whitelisted
924
iexplore.exe
172.217.18.163:443
www.gstatic.com
Google Inc.
US
whitelisted
3360
iexplore.exe
216.58.205.238:443
www.youtube.com
Google Inc.
US
whitelisted
3360
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
pastebin.com
  • 104.23.98.190
  • 104.23.99.190
shared
www.youtube.com
  • 216.58.205.238
  • 172.217.22.78
  • 172.217.18.14
  • 216.58.207.46
  • 216.58.207.78
  • 172.217.21.206
  • 172.217.22.110
  • 172.217.16.206
  • 172.217.21.238
  • 172.217.16.174
  • 216.58.208.46
  • 172.217.23.110
  • 216.58.212.142
  • 172.217.16.142
  • 172.217.18.110
  • 172.217.22.14
whitelisted
ocsp.pki.goog
  • 172.217.22.67
whitelisted
www.google.com
  • 216.58.206.4
whitelisted
fonts.gstatic.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 216.58.205.237
shared
s.ytimg.com
  • 172.217.23.110
whitelisted
www.gstatic.com
  • 172.217.18.163
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
haxormodev12.zip